Ajax Security Team: Are they Iran's latest threat?

FireEye thinks so, but a passive glance into their history suggests otherwise

1 2 Page 2
Page 2 of 2

The aforementioned company used by AST, Pars Security (Pars Pardazesh Hafez Shiraz Ltd.), offers a wide range of services, including penetration testing, wireless hacking, and security training.

According to the company's website, it was founded in order to provide "services to the private and public sectors...based on over 5 years of experience in the field of IT and in managing the Ajax hacker group..."

Keeping with the pro-Iranian stance, AST's Ali Ali Pur spent a considerable amount of time showing off his website defacements and spreading pro-Iranian propaganda on ajaxtm[.]com - his personal blog. Shortly after the FireEye report was published, he started deleting the website.

However, a post referencing money problems, leading to an inability to pay for hosting, seems to contradict the notion that the group is government funded - or well-funded at all for that matter.

Throughout their existance, the group has done a number of website defacements and coordinated attacks on individuals. Likewise, they've disclosed vulnerabilities in various Web apps, as well as leveraged known vulnerabilities in order to deface a given target. Moreover, in recent times, they've either written or purchased code (a Remote Access Trojan) to target anti-censorship supporters.

Given the money problems, it's a better bet that they adapted code for their usage, or someone coded it for them - it isn't uncommon for programmers to support nationalistic hackers.

However, these actions don't make them a state-sponsored group or "APT" actors. Based on everything that's presented in the FireEye report and established online, nothing they've done is really advanced. Targeting low-hanging fruit is the easiest path to success, and even rookie criminals know that rule.

All things considered, everything that's in the public eye about them places this group in the same context as the Iranian Cyber Army or the Syrian Electronic Army. In short, they're a low-level threat.

There's nothing wrong with watching them, or being aware of their methods and activities, but they're not a group that needs to be panicked over. Moreover, the threads used to tie AST to the DIB attacks are being called into question.

"The 'Ajax Security Team' appears to have connections with both traditional cyber crime organizations as well as government entities, however without additional information it is unknown if they work directly for a government or are possibly contracted. The affiliation with Iran is even circumstantial without additional information," Adam Kujawa, head of Malware Intelligence at Malwarebytes, said.

In their blog on the topic, FireEye makes mention of malware that was previously unknown to the security community being used by AST in their attacks on anti-censorship supporters.

This unique malware is one of the key pieces of the report, and something that is used to single them out as a threat and tie them to the Iranian government. But does it really tie them to anything?

"The biggest problem with trying to attribute nation-state malware to a specific country is that without hard evidence or the country in question admitting they own the malware, it can be made to look like it came from anywhere... Purchasing a server, including a foreign language or time zone and even using common applications known to a specific country (in this case the Iran anti-censorship software) could all be red herrings," Kujawa added.

Copyright © 2014 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 hot cybersecurity trends (and 2 going cold)